From ff321fd7cf845de5204596a3805cdc98f6504a36 Mon Sep 17 00:00:00 2001
From: Quanah Gibson-Mount <quanah@openldap.org>
Date: Mon, 3 Jan 2011 23:45:30 +0000
Subject: [PATCH] ITS#6722

---
 CHANGES                     |  1 +
 servers/slapd/schema_init.c | 22 ++++++++++++----------
 2 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/CHANGES b/CHANGES
index b92f22114b..57f793a635 100644
--- a/CHANGES
+++ b/CHANGES
@@ -22,6 +22,7 @@ OpenLDAP 2.4.24 Engineering
 	Fixed slapd config leak with olcDbDirectory (ITS#6634)
 	Fixed slapd to free controls if needed (ITS#6629)
 	Fixed slapd filter leak (ITS#6635)
+	Fixed slapd matching rules for strict ordering (ITS#6722)
 	Fixed slapd when first acl is value dependent (ITS#6693)
 	Fixed slapd modify to return actual error (ITS#6581)
 	Fixed slapd sortvals of attributes with 1 value (ITS#6715)
diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
index df805dbffc..c7c00cd4ff 100644
--- a/servers/slapd/schema_init.c
+++ b/servers/slapd/schema_init.c
@@ -485,13 +485,11 @@ octetStringMatch(
 	void *assertedValue )
 {
 	struct berval *asserted = (struct berval *) assertedValue;
-	int match = value->bv_len - asserted->bv_len;
+	ber_slen_t d = (ber_slen_t) value->bv_len - (ber_slen_t) asserted->bv_len;
 
-	if( match == 0 ) {
-		match = memcmp( value->bv_val, asserted->bv_val, value->bv_len );
-	}
+	*matchp = d ? (sizeof(d) == sizeof(int) ? d : d < 0 ? -1 : 1)
+		: memcmp( value->bv_val, asserted->bv_val, value->bv_len );
 
-	*matchp = match;
 	return LDAP_SUCCESS;
 }
 
@@ -511,7 +509,10 @@ octetStringOrderingMatch(
 	int match = memcmp( value->bv_val, asserted->bv_val,
 		(v_len < av_len ? v_len : av_len) );
 
-	if( match == 0 ) match = v_len - av_len;
+	if( match == 0 )
+		match = sizeof(v_len) == sizeof(int)
+			? (int) v_len - (int) av_len
+			: v_len < av_len ? -1 : v_len > av_len;
 
 	*matchp = match;
 	return LDAP_SUCCESS;
@@ -1419,9 +1420,10 @@ uniqueMemberMatch(
 	}
 
 	if( valueUID.bv_len && assertedUID.bv_len ) {
-		match = valueUID.bv_len - assertedUID.bv_len;
-		if ( match ) {
-			*matchp = match;
+		ber_slen_t d;
+		d = (ber_slen_t) valueUID.bv_len - (ber_slen_t) assertedUID.bv_len;
+		if ( d ) {
+			*matchp = sizeof(d) == sizeof(int) ? d : d < 0 ? -1 : 1;
 			return LDAP_SUCCESS;
 		}
 
@@ -1572,7 +1574,7 @@ booleanMatch(
 {
 	/* simplistic matching allowed by rigid validation */
 	struct berval *asserted = (struct berval *) assertedValue;
-	*matchp = value->bv_len != asserted->bv_len;
+	*matchp = (int) asserted->bv_len - (int) value->bv_len;
 	return LDAP_SUCCESS;
 }
 
-- 
2.39.5